How to Avoid Becoming the Villain (Part 2)

(0 votes, average: 0.00 out of 5)You need to be a registered member to rate this post.

Life is full of surprises. I recently wrote an article titled How to Avoid Becoming the Villain on why it is so important to configure your servers correctly so that people cannot exploit them for illegal purposes. A few days ago, I came across a case that adds weight to the points I made then.

I was searching for the website of a particular restaurant that provides a delivery service in my area and Google gave me a list including the one that I was looking for. However, the search engine warned me that the website may have been compromised or infected with malware. Now, what would a hungry person working in IT security do in such a situation? Exactly! Forget about food for a little while and look into the matter.

Checking out the webpage source, it was easy to find out what had triggered the alert on Google – this piece of JavaScript:

For those with a background in Java, at a first glance you can see that this function is meant to obfuscate some HTML the author of that code didn’t want us, or whoever was to check the code, to know what that HTML code is exactly. Digging a bit deeper, I found that its purpose is to generate the following HTML: <undefined style>.nemonn{position:absolute;top:-9999px}</style>

The purpose of that HTML is to position a class called .nemonn outside of the screen, making it invisible to anyone visiting the webpage. What did class nemonn contain? Class nemonn contained adverts and links to sites that sell stuff like medicines, low cost loans and other suspicious offers and deals.

But why?

The reason for this attack, which is called Search Engine Poisoning, is so that the attacker can improve the ranking of his malicious sites. Anyone visiting the website will not notice anything out of place, while search engines going through the victim’s website will find all the links that class nemonn is linking to. The search engine will then raise the ranking of those links based on the fact they seem quite popular since other sites are linking back to them.

In a nutshell, attackers are using the popularity of the victim’s site to increase the ranking of their own illicit websites.

This episode highlighted another issue. The attackers were able to gain access to and modify the HTML. The modifications were harmless to people legitimately visiting the webpage but they could also have been used for malware drive by downloads, or to use the website as a platform to launch phishing attacks or include exploits that compromise the user’s machine when visiting the website.

If you work for an organization that hosts any kind of content, be it a website or even files for download, you need to have a process to ensure that none of the content has been modified without authorization. It’s easy to upload data to your website and then forget about it so long as it’s working fine. However, you are taking a number of risks if that data is not protected.

Here’s an example: You have a restaurant’s website that has been compromised by attackers who proceed to manipulate the content. Let’s say that the restaurant had an online shopping cart and facilitated the use of credit cards. All an attacker has to do to steal the credit card details is to write a script that takes the same input as the legitimate form.

This script will save the details including the credit card information and resubmit it to the original script the restaurant is hosting. This might trigger a warning if the site is hosted on HTTP Secure, but unless the user is tech savvy they are very likely to dismiss the warning especially since everything else will work as expected. Even tech savvy and security conscious users might dismiss the warning as nothing more than a redirect to an unsecure site after the order has been completed, which is something that we often see happen legitimately.

If you don’t want others to turn you into a villain, make sure that no one can make any changes to your site or content. Also, ensure the software products you are using are patched, up-to-date and secure. I was curious to know how the website I was looking for was compromised in the first place. It turned out that they were using an old version of a popular content management system with known vulnerabilities. This is the most likely route the attackers took. The moral of the story is that you should never set up a website and forget about it.

About the Author: Emmanuel Carabott

Emmanuel Carabott (CISSP) Certified Information Systems Security Professional has been working in the IT field for the past 18 years. He has joined GFI in 1999 where he currently heads the security research team.

Emmanuel is also a contributor to the GFI Blog where he regularly posts articles on various topics of interest to sysadmins and other IT professions focusing primarily on the area of information security.